How Target-Like Breaches Occur (P.S. More Are Expected)

Keyboard typing

Maybe you are among the 110 million Target shoppers whose payment card or personal information was hacked during the recent holiday shopping season. Perhaps you are one of the 1 million-plus Neiman Marcus customers whose data was exposed in a 2013 breach just recently announced.

Been to Michael's lately? The arts and crafts retailer is the latest well-known company whose customer payment details were reportedly stolen in the same type of data breach.

How are con artists doing it - and which trusted retailer is next?

Sadly, warns the FBI and other authorities, wherever you shop, prepare for more of the same: cyber attacks that employ sophisticated malware to specifically target point of sale (POS) systems such as cash registers and card-swiping devices.

In a confidential report shared with select U.S. retailers and obtained by Reuters last week, the FBI identified "memory-parsing" malicious software - also known as a "RAM scraper" - as the source of about 20 Target-like hacking cases in the past year.  And the bureau predicted that additional POS attacks will follow.

>> Sign up for the AARP Money newsletter

Typically, when a customer or store clerk swipes a credit or debit card, data from its magnetic stripe is collected by the POS terminal for transfer to the retailer's payment processing provider.

But before that data is encrypted, nearly undetectable RAM scrapers - installed remotely but exactly how is still being investigated - allow hackers to extract account numbers, PINs and users' personal information while it is in the computer's live memory, where it very briefly appears in plain text.

"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," said the FBI report obtained by Reuters. "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors."

On the black market, this malware sells for up to $6,000, and some reports indicate these hackers may be tied to the Russian mob. The FBI noted that one variant, known as Alina, included an option that allowed for "remote upgrades" to make it even harder for corporate security teams to identify and stop.

What does this mean to you?

  • Whenever possible, pay with cash rather than plastic to reduce vulnerability to POS-related attacks.
  • If you use credit or debit cards, keep close tabs on your accounts. Besides carefully reviewing monthly credit card and bank statements, you might consider monitoring payment card activity nearly every day. Many banks and credit card companies also allow you to enroll for free email alerts to notify you about suspicious account activity, including change of address requests.
  • If you spot questionable or fraudulent activity, immediately contact your bank or credit card provider. Ask to speak with the fraud department, which likely will close that account and assign you new numbers and plastic.
  • If your personal or payment account information is stolen, the breached company may offer you free credit monitoring - typically for one year. Take advantage of it (only about 20 percent of breach victims do) for an extra layer of protection. But realize that credit monitoring looks for changes on a credit report - such as the opening of new accounts in your name - and doesn't alert you if someone is fraudulently using your existing credit or debit cards.
  • Even after taking those steps, check your credit report for free at or by calling 877-322-8228 toll-free. Federal law requires each of the three nationwide consumer reporting companies - Equifax, Experian and TransUnion - to provide a free copy of your credit report every 12 months if you ask for it. Look for the fraudulent opening of new accounts in your name and immediately report any that you find.
  • Beware of phishing scams - especially in the aftermath of a well-publicized breach. Scammers often send emails or text messages alleging to be from breached companies that ask you to confirm or provide personal information such as account numbers, Social Security numbers and passwords. Don't click on links in these emails, which may unleash other computer malware designed to provide hackers with remote access of files or online account information.
  • Consider a security freeze. If you're not planning to apply for new credit or insurance policies in the near future, this measure will prevent anyone (except you) from accessing your credit report - and legitimate businesses will not issue accounts in your name without checking your credit report. A freeze can be ended and reinstated as needed, and depending on the law in your state, costs are often waived for older Americans or those who provide proof of having been a past victim of identity theft. Details are available at websites of each credit reporting bureau; if you go that route, be sure to sign up at all three.


Photo: Davide Restivo/Flickr

Visit AARP's new Fraud Watch Network website for information about other scams, and sign up for free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and learn about scam-prevention events in your area.

>> Get discounts on financial services with your AARP Member Advantages.


Also of Interest


See the  AARP home page for deals, savings tips, trivia and more


Search AARP Blogs